A.2. CSR Attributes
The following is an example of a valid /csrattrs exchange. During
this exchange, the EST client authenticates itself using an existing
certificate issued by the CA for which the EST server provides
services.
The initial TLS handshake is identical to the enrollment example
handshake. The HTTP GET request:
GET /.well-known/est/csrattrs HTTP/1.1
User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenS
SL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: 192.0.2.1:8085
Accept: */*
In response, the server provides suggested attributes that are
appropriate for the authenticated client. In this example, the EST
server also includes two example attributes that the client would
ignore unless the attribute type is known to the client:
HTTP/1.1 200 OK
Status: 200 OK
Content-Type: application/csrattrs
Content-Transfer-Encoding: base64
Content-Length: 171
MHwGBysGAQEBARYwIgYDiDcBMRsTGVBhcnNlIFNFVCBhcyAyLjk5OS4xIGRhdGEG
CSqGSIb3DQEJBzAsBgOINwIxJQYDiDcDBgOINwQTGVBhcnNlIFNFVCBhcyAyLjk5
OS4yIGRhdGEGCSskAwMCCAEBCwYJYIZIAWUDBAIC
A.3. Enroll/Re-enroll
The following is an example of a valid /simpleenroll exchange. The
data messages for /simplereenroll are similar.
During this exchange, the EST client uses an out-of-band distributed
username/password to authenticate itself to the EST server. This is
the normal HTTP WWW-Authenticate behavior and is included here for
informative purposes. When an existing TLS client certificate is
used, the server might skip requesting the HTTP WWW-Authenticate
header, such as during a /simplereenroll operation.
During the initial TLS handshake, the client can ignore the optional
server-generated "certificate request" and can instead proceed with
the HTTP POST request. In response to the initial HTTP POST attempt,

MIIDRQYJKoZIhvcNAQcCoIIDNjCCAzICAQExADALBgkqhkiG9w0BBwGgggMYMIID
FDCCAfygAwIBAgIBFjANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBlc3RFeGFt
cGxlQ0EgTndOMB4XDTEzMDUwOTIzMjU1NloXDTE0MDUwOTIzMjU1NlowLDEqMCgG
A1UEAxMhc2VydmVyc2lkZSBrZXkgZ2VuZXJhdGVkIHJlc3BvbnNlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz8CrcCe04zIAPj6I+uFfdPa8qpdH6D9Y
VOGKucvP2zj+WU3ugK4FYVMntPfQHPnX3cKcj/wxEoro1Bf3UutlXJN1FjW58PuD
t/BVKdHpy2240k7nePCqRFuvhc5HrgGpzxmTANcCsq2Mvaw+bUDjiVPwgVYVKyE8
mC2TWFHuGoG6XEdMDLa0a9hOfDLvMEPNK8pOp5C+wjpOWSEHTUcZXZOwxb6QPOWJ
9bLbpqBkbVS1udYl3k0tS7V8IblG/4+i3bN77wIidkomdGN68T5ZyVchZkfDH9kw
To87har2v1Sw9mskI4GhhI6tmVh13pUADmejd5awoaIxChRqvd8joQIDAQABo1Iw
UDAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0OBBYEFKeZixu9F+appDX2SS5HaxmV6Jr4
MB8GA1UdIwQYMBaAFLHEaeZbowSn2Jejizu/uWqyMkI8MA0GCSqGSIb3DQEBBQUA
A4IBAQBHhLmRAKrnTapqqBObDM9IQDQPuwW+fW1gYwZKlSm/IWIwHEZL1igXhpjj
rf4xqpIkiJMmkaOeoXA8PFniX0/lZM9FQSM/j89CUf5dMoAqWj8s17xuXu9L/hVe
XjjXHsL40WuDG6tMPN9vcT8tE3ruor608MKSHFX/NEM6+AaNVSUPTmB33BgYB1Wa
E7pn3JMN6pjIxsHnF4pKi8qvoTSVVjaCEwUe8Q/fw1yvjoHoYJtyMn4v5Kb3Rt+m
s8Yie1tcfVQrjQutqr34/IJsKdPziZwi92KZa+1958A6M9O/p5OI0up9ZXKg2DEC
1O9qT0GyYJ6sxAyKiGTOxk6jMddDoQAxAA==
--estServerExampleBoundary--
This is the epilogue. It is also to be ignored.
Appendix B. Contributors and Acknowledgements
The editors would like to thank Stephen Kent, Vinod Arjun, Jan
Vilhuber, Sean Turner, Russ Housley, and others for their feedback
and prototypes of early versions of this document. Our thanks also
go the authors of [RFC6403], around whose document we structured part
of this specification.